Troubleshooting Wireless Networks with Wireshark

Introduction

Wireless networks present unique challenges for troubleshooting due to their invisible nature. Wireshark, when used with the right hardware and techniques, can provide invaluable insights into Wi-Fi performance issues, security concerns, and protocol-specific problems.

Pro Tip: Always ensure you have permission to capture and analyze wireless traffic, especially in shared or public spaces.

Required Hardware

To effectively capture wireless traffic, you'll need:

A wireless network adapter capable of monitor mode
For 802.11ac analysis: A compatible adapter supporting 5 GHz bands
For optimal results: Dedicated wireless capture devices (e.g., Airpcap)

Note: Not all wireless adapters support monitor mode. Check your adapter's specifications.

Configuring Wireshark for Wireless Capture

Put your wireless adapter into monitor mode:
- On Linux: Use airmon-ng start wlan0
- On macOS: Use sudo airport en0 sniff 6 (replace 6 with desired channel)
- On Windows: This often requires special drivers or external tools
In Wireshark, select the monitor mode interface (often appears as "mon0" or similar)
Start the capture

Common Wireless Issues and How to Diagnose Them

1. Poor Signal Strength

Look for:

Low signal strength in beacon frames (use the "wlan_radio.signal_dbm" filter)
High number of retransmissions (filter: "wlan.fc.retry == 1")

2. Channel Congestion

Analyze:

Distribution of packets across channels (Statistics > WLAN Traffic)
Presence of non-WiFi interference (look for periodic, unexplained gaps in traffic)

3. Authentication Issues

Investigate:

EAP frames for 802.1X authentication problems (filter: "eap")
Association and re-association requests/responses (filter: "wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02")

4. DHCP Problems

Examine:

DHCP discover, offer, request, and ACK sequence (filter: "dhcp")
Timing between DHCP messages for delays

Advanced Wireless Analysis Techniques

1. Analyzing Beacon Frames

Use the filter "wlan.fc.type_subtype == 0x08" to view beacon frames. Look for:

Supported rates
Channel information
Security settings (WPA, WPA2, etc.)

2. Tracking Client Roaming

To analyze how clients move between access points:

Filter for a specific client: "wlan.addr == client_mac_address"
Look for re-association requests to different BSSIDs

3. Identifying Hidden SSIDs

Use the filter "wlan.fc.type_subtype == 0x05" to view probe responses, which can reveal hidden SSIDs.

4. Analyzing Frame Retries

High numbers of retries can indicate interference or poor signal quality. Use the filter "wlan.fc.retry == 1" and examine the pattern of retried frames.

Wireless Security Analysis

Wireshark can help identify potential security issues:

Detect rogue access points by analyzing beacon frames
Identify clients connecting to open networks (filter: "wlan.fc.protected == 0 && wlan.fc.type_subtype == 0x00")
Look for weak encryption methods (WEP, TKIP) in beacon frames

Caution: Never attempt to decrypt or capture sensitive data without explicit authorization. Many jurisdictions have strict laws regarding wireless traffic interception.

Troubleshooting Checklist

Verify adapter is in monitor mode and on the correct channel
Check signal strength and noise levels
Analyze channel utilization and potential interference
Examine authentication and association processes
Investigate DHCP and IP configuration issues
Look for excessive retransmissions or data rate shifts
Analyze security settings and potential vulnerabilities